Monitoring apparatus and driving force control system

ABSTRACT

a monitoring apparatus used in a vehicle is provided to communicate with an electronic control apparatus that controls a driving force of the vehicle by executing any one of a plurality of predetermined different controls. The monitoring apparatus receives a vehicle specification from the electronic control apparatus, and determines whether the received vehicle specification is appropriate, to provide a determination result. The monitoring apparatus further sets whether at least one of the predetermined different controls is permitted or not permitted to be executed by the electronic control apparatus in response to the determination result.

CROSS REFERENCE RELATED APPLICATION

The present application claims the benefit of priority from JapanesePatent Application No. 2019-28621 filed on Feb. 20, 2019. The entiredisclosure of the above application is incorporated herein by reference.

TECHNICAL FIELD

The present disclosure relates to a technique for controlling drivingforce of a vehicle.

BACKGROUND

A system is known in which a plurality of electronic control unitscommunicate with each other. For example, a technique is proposed whichtransmits and receives data necessary for execution of processing by theelectronic control units during operation of the system.

There is a driving force monitoring system that includes a plurality ofelectronic control units to control the driving force of a vehicle.Also, in such a driving force monitoring system, necessary data aretransmitted and received by the respective electronic control units toexecute processing while securing a safety of an occupant.

SUMMARY

According to an example of the present disclosure, a monitoringapparatus used in a vehicle is provided to communicate with anelectronic control apparatus that controls a driving force of thevehicle by executing any one of a plurality of predetermined differentcontrols. The monitoring apparatus receives a vehicle specification fromthe electronic control apparatus, and determines whether the receivedvehicle specification is appropriate, to provide a determination result.The monitoring apparatus further sets whether at least one of thepredetermined different controls is permitted or not permitted to beexecuted by the electronic control apparatus in response to thedetermination result.

BRIEF DESCRIPTION OF DRAWINGS

The objects, features and advantages of the present disclosure willbecome more apparent from the following detailed description made withreference to the accompanying drawings. In the drawings;

FIG. 1 is a block diagram illustrating a configuration of a drivingforce control system according to a first embodiment;

FIG. 2 is a flowchart of a control setting process according to thefirst embodiment;

FIG. 3 is a flowchart of a control setting process according to thefirst embodiment;

FIG. 4 is a flowchart of a control setting process according to a secondembodiment;

FIG. 5 is a flowchart of a control setting process according to thesecond embodiment;

FIG. 6 is a flowchart of a control setting process according to thesecond embodiment; and

FIG. 7 is a block diagram showing a configuration of a modified exampleof the driving force control system.

DETAILED DESCRIPTION

The following describes embodiments of the present disclosure withreference to the drawings.

1. First Embodiment 1-1. Configuration

A driving force control system 1 shown in FIG. 1 includes a mainmicrocomputer 11, a sub microcomputer 12, and a monitoring apparatus 13.These apparatuses or the like are connected with each other via acommunication link 51 and are housed in one housing 2. The driving forcecontrol system 1; which is mounted in a vehicle (i.e., a host vehicle),provides a function of controlling the driving force of the vehicle,calculates the driving force based on the accelerator opening, the shiftrange; the vehicle speed, and the like, and outputs a control signal toa driving source. Here, the driving source corresponds to an engine, amotor, or the like that generates a driving force for driving thevehicle.

The main microcomputer 11 corresponds to a first electronic controlunit, and the sub microcomputer 12 corresponds to a second electroniccontrol unit. Further, an electronic control apparatus may be defined toinclude the main microcomputer 11 and the sub microcomputer 12.

The main microcomputer 11 is a microcomputer having a CPU and asemiconductor memory such as a RAM or a ROM. Each function of the mainmicrocomputer 11 is realized by the CPU executing a program stored in anon-transitory tangible storage medium. In this example, the memorycorresponds to the non-transitory tangible storage medium storing theprogram. The sub microcomputer 12 is a microcomputer having the sameconfiguration as that of the main microcomputer 11. The non-volatilememory 11 a included in the main microcomputer 11 and the non-volatilememory 12 a included in the sub microcomputer 12 each store vehiclespecifications (i.e., a vehicle specification group) of the vehicle onwhich the driving force control system 1 is mounted. Here, the vehiclespecifications correspond to parameters that vary depending on thevehicle type; the parameters including vehicle weight, tire diameter,and differential ratio.

The main microcomputer 11 includes a first primary calculation module21, an operation monitoring module 22, a first auxiliary calculationmodule 23, and a first diagnosis module 24. The first primarycalculation module 21 is configured to calculate a normal driving force.The normal driving force is a driving force obtained by a predeterminedcalculation when no abnormality is detected in the driving force controlsystem 1. The normal driving force is optimized according to the vehicletype and grade of the vehicle. In the present embodiment, the firstprimary calculation module 21 first performs a driving force calculationthat does not depend on the vehicle specifications, and then performs acorrection considering the vehicle specifications. The former drivingforce calculation is a first calculation for determining the targetvehicle speed from the accelerator opening. The latter correction is asecond calculation for converting the target vehicle speed into adriving force based on vehicle specifications. The vehiclespecifications used for the second calculation are stored in thenonvolatile memory 11 a of the main microcomputer 11.

The operation monitoring module 22 performs monitoring of the normaloperation of the sub microcomputer 12 by so-called watchdog monitoringthat checks a signal periodically transmitted from the sub microcomputer12.

The first auxiliary calculation module 23 is configured to calculate thedriving force for fallback travel (the fallback travel driving force).The fallback travel driving force is a driving force obtained by asimplified calculation method compared with a calculation forcalculating a normal driving force. The fallback travel driving forcehas fewer conditions to be considered in the calculation than the normaldriving force. As a result, for example, the driving force is limited infunction compared to the normal driving force, and there is nocharacteristic of the driving force for each vehicle type. In thepresent embodiment, the first auxiliary calculation module 23 firstperforms a driving force calculation that does not depend on the vehiclespecifications, as in the first primary calculation module 21, and thenperforms a correction in consideration of the vehicle specifications.

The main microcomputer 11 outputs a control signal to the drive sourceso as to realize the normal driving force determined by the firstprimary calculation module 21 or the fallback driving force determinedby the first auxiliary calculation module 23. Hereinafter, the drivingforce control using the normal driving force is also referred to as anormal control. Further, the driving force control using the fallbacktravel driving force is hereinafter also referred to as a fallbackcontrol.

The first diagnosis module 24 diagnoses an abnormality in the mainmicrocomputer 11. Here, ROM/RAM check, internal circuit abnormalitydiagnosis, and the like in the main microcomputer 11 are executed byknown methods. The first diagnosis module 24 notifies the monitoringapparatus 13 of the presence or absence of an abnormality obtained bythe diagnosis.

The sub microcomputer 12 includes a second primary calculation module31, a second auxiliary calculation module 32, and a second diagnosismodule 33. The second primary calculation module 31 is configured tocalculate a normal driving force. The normal driving force here is thesame as the normal driving force calculated by the first primarycalculation module 21. The vehicle specifications used for thecalculation are stored in the nonvolatile memory 12 a of the submicrocomputer 12. Further, the second primary calculation module 31compares the normal driving force obtained by the second primarycalculation module 31 with the normal driving force obtained by thefirst primary calculation module 21. Thus, it is monitored that the mainmicrocomputer 11 is operating normally. In the present embodiment, thenormal driving force obtained by the second primary calculation module31 is only used for the above-described comparison, and is not used forcontrolling the driving source.

The second auxiliary calculation module 32 is configured to calculatethe fallback travel driving force. The fallback travel drive force hereis the same as the fallback travel drive force calculated by the firstauxiliary calculation module 23. Unlike the normal driving forceobtained by the second primary calculation module 31, the fallbacktravel driving force obtained here may be used for controlling the drivesource.

The second diagnosis module 33 diagnoses an abnormality in the submicrocomputer 12. Here, ROM/RAM check, internal circuit abnormalitydiagnosis, and the like in the sub microcomputer 12 are executed byknown methods. The second diagnosis module 33 notifies the monitoringapparatus 13 of the presence or absence of an abnormality obtained bythe diagnosis.

As an example, in the present embodiment, the monitoring apparatus 13 isprovided as a so-called ASIC (Application Specific Integrated Circuit),which is an integrated circuit for realizing a plurality of functionsdescribed below. The monitoring apparatus 13 includes a memory 13 a thatis a volatile memory. The memory 13 a includes at least a storage areafor storing vehicle specifications and a storage area for managingvarious flags.

The monitoring apparatus 13 may be configured as one or more controllers(i.e., control circuits, or processors) by including a plurality ofmodules, which may be also referred to as steps, sections, or units, toachieve the respective functions. The modules include a specificationreception module 41, a determination module 42, a setting module 43, anabnormality reception module 44, a notification module 45, and a thirdcalculation module 46.

The specification reception module 41 is configured to receive vehiclespecifications from each of the main microcomputer 11 and the submicrocomputer 12, individually. The received vehicle specifications arestored in the memory 13 a.

The determination module 42 is configured to determine whether or notthe vehicle specifications received by the specification receptionmodule 41 are appropriate. The determination module 42 determines thatthe vehicle specifications received from the main microcomputer 11 andthe vehicle specifications received from the sub microcomputer 12 match,and determines that they are not appropriate when they do not match.

According to the determination result by the determination module 42,the setting module 43 sets whether a subject control is permitted to beexecuted by the main microcomputer 11 and whether the subject control ispermitted to be executed by the sub microcomputer 12. The subjectcontrol corresponds to at least one (one in this embodiment) controlamong a plurality (two in this embodiment) of predetermined differentcontrols. In the present embodiment, each of the main microcomputer 11and the sub microcomputer 12 can execute the above-described normalcontrol and the fallback control.

The abnormality reception module 44 receives the above-describedabnormality diagnosis result from the main microcomputer 11 before thespecification reception module 41 receives the vehicle specificationsfrom the main microcomputer 11. The abnormality reception module 44receives the above-described abnormality diagnosis result from the submicrocomputer 12 before the specification reception module 41 receivesthe vehicle specifications from the sub microcomputer 12.

The notification module 45 is configured to perform an output fornotifying an occupant of the vehicle of an abnormality. The outputdestination is, for example, a control device (not shown) that controlsa display and a speaker. The notification module 45 performs theabove-described output to the control device when the determinationmodule 42 determines that the vehicle specifications received by thespecification reception module 41 are not appropriate. The controldevice receives the output and causes a display or a speaker to performpredetermined image display or audio output.

The third calculation module 46 is configured to calculate the fallbacktravel driving force. The fallback travel drive force here is the sameas the fallback travel drive force calculated by the first auxiliarycalculation module 23. The vehicle specifications used for thecalculation are the vehicle specifications, which are acquired from themain microcomputer 11 or the sub microcomputer 12 after the monitoringapparatus 13 is activated and then stored in the memory 13 a. The thirdcalculation module 46 corresponds to a calculation module.

1-2. Processes

A control setting process executed by the monitoring apparatus 13 willbe described with reference to the flowcharts of FIGS. 2 to 3. Thisprocess is started when there is a request to activate or start thevehicle. The request for activating the vehicle includes, for example, amanipulation of pressing a predetermined button for activating thevehicle, or a manipulation of turning on the ignition key by the user.

First, in S1, the monitoring apparatus 13 determines whether or not ithas vehicle specifications at this time, that is, whether or not thevehicle specifications are stored in the memory 13 a. For example, whenthe data in the memory 13 a is not lost, such as if the period of timefrom when the power supply of the monitoring apparatus 13 is turned offto when it is turned on is extremely short, it is determined in S1 thatthe vehicle specifications are stored.

If the monitoring apparatus 13 determines that the vehiclespecifications are stored in S1, the monitoring apparatus 13 proceeds toS13. On the other hand, if the monitoring apparatus 13 determines in S1that the vehicle specifications are not stored, the monitoring apparatus13 proceeds to S2 and prohibits the vehicle activation. Here, forexample, a flag for permitting vehicle activation is turned off.

In S3, the monitoring apparatus 13 receives the abnormality diagnosisresult of the main microcomputer 11 from the first diagnosis module 24.In S4, the monitoring apparatus 13 determines whether or not there is anabnormality in the main microcomputer 11. If the monitoring apparatus 13determines that there is an abnormality in the main microcomputer 11 inS4, the control setting process is ended without permitting the vehicleactivation.

On the other hand, if the monitoring apparatus 13 determines in S4 thatthere is no abnormality in the main microcomputer 11, the monitoringapparatus 13 proceeds to S5 and receives vehicle specifications from themain microcomputer 11. In S6, the monitoring apparatus 13 receives theabnormality diagnosis result of the sub microcomputer 12 from the seconddiagnosis module 33.

In S7, the monitoring apparatus 13 determines whether there is anabnormality in the sub microcomputer 12. If the monitoring apparatus 13determines that there is an abnormality in the sub microcomputer 12 inS7, the monitoring apparatus 13 ends this control setting processwithout permitting vehicle activation.

On the other hand, if the monitoring apparatus 13 determines that thereis no abnormality in the sub microcomputer 12 in S7, the monitoringapparatus 13 proceeds to S8 and receives vehicle specifications from thesub microcomputer 12. In S9, the monitoring apparatus 13 determineswhether or not the vehicle specifications received in S5 matches thevehicle specifications received in S8.

If the monitoring apparatus 13 determines in S9 that the vehiclespecifications received in S5 does not match the vehicle specificationsreceived in S8, the monitoring apparatus 13 proceeds to S10 and disablesthe fallback travel. Here; for example; a flag for permitting fallbacktravel is turned off. In S11, the monitoring apparatus 13 outputs asignal to a control device that controls a display and/or a speaker (notshown) to provide a notification that notifies the occupant of thefailure. Here, for example, the notification indicates that a normaloperation is possible, but there is a failure part, so that the repairshould be performed. Thereafter, the process proceeds to S14.

If the monitoring apparatus 13 determines that the vehiclespecifications matches in S9, the monitoring apparatus 13 proceeds toS12 and stores the received vehicle specifications in the memory 13 a ofthe monitoring apparatus 13. In S13, the monitoring apparatus 13 enablesthe fallback travel. Here, for example, a flag for permitting fallbacktravel is turned on.

In S14; the monitoring apparatus 13 permits vehicle activation. Here;for example, a flag for permitting vehicle activation is turned on andthe vehicle is activated. Thereafter, the process proceeds to S21 inFIG. 3.

The processing after S21 is performed after the vehicle activation ispermitted. In addition; D and E in FIG. 3 show the process sequence inthe second embodiment mentioned later, and are not used in the firstembodiment.

In S21, the monitoring apparatus 13 determines whether or not theoccupant has performed a stop manipulation. Examples of the stopmanipulation include a manipulation of pressing a button for stoppingthe operation of the vehicle and a manipulation of turning off anignition key. If the monitoring apparatus 13 determines in S21 that theoccupant has performed a stop manipulation, the control setting processis ended.

On the other hand, if the monitoring apparatus 13 determines in S21 thatthe occupant has not performed a stop manipulation, the monitoringapparatus 13 proceeds to S22 and determines whether or not anabnormality has occurred in the main microcomputer 11. The submicrocomputer 12 determines whether the error between the calculationresult of the first primary calculation module 21 of the mainmicrocomputer 11 and the calculation result of the second primarycalculation module 31 of the sub microcomputer 12 is within an allowablerange. If the error is not within the allowable range, the submicrocomputer 12 notifies the monitoring apparatus 13; the monitoringapparatus 13 thereby determines that an abnormality has occurred in themain microcomputer 11. The occurrence of abnormality in the mainmicrocomputer 11 may be determined from the output signal of the firstdiagnosis module 24.

If the monitoring apparatus 13 determines in S22 that an abnormality hasoccurred in the main microcomputer 11, the monitoring apparatus 13proceeds to S24. On the other hand, if the monitoring apparatus 13determines in S22 that no abnormality has occurred in the mainmicrocomputer 11, the monitoring apparatus 13 proceeds to S23.

In S23, the monitoring apparatus 13 determines whether or not anabnormality has occurred in the sub microcomputer 12. The mainmicrocomputer 11 performs a watchdog monitoring to monitor the submicrocomputer 12. When there is an abnormality in the periodic signalfrom the sub microcomputer 12, the main microcomputer 11 notifies themonitoring apparatus 13; the monitoring apparatus 13 thereby determinesthat an abnormality has occurred in the sub microcomputer 12. Theoccurrence of abnormality in the sub microcomputer 12 may be determinedfrom the output signal of the second diagnosis module 33.

If the monitoring apparatus 13 determines in S23 that an abnormality hasoccurred in the sub microcomputer 12, the monitoring apparatus 13proceeds to S29. On the other hand, if the monitoring apparatus 13determines in S23 that no abnormality has occurred in the submicrocomputer 12, the monitoring apparatus 13 proceeds to S21.

As described above, when the occupant does not perform a stopmanipulation and neither the main microcomputer 11 nor the submicrocomputer 12 has an abnormality, S21 to S23 are repeated. That is,the monitoring apparatus 13 stands by until a stop manipulation isperformed by the occupant or until an abnormality occurs in the mainmicrocomputer 11 or the sub microcomputer 12. The monitoring apparatus13 may be in a sleep state until it receives predetermined signals fromthe sensor for detecting the stop manipulation, from the mainmicrocomputer 11, or from the sub microcomputer 12 to thereby exit fromthe loop of S21 to S23. When an abnormality occurs in the mainmicrocomputer 11 or the sub microcomputer 12, a microcomputer in whichno abnormality has occurred among the main microcomputer 11 and the submicrocomputer 12 performs fallback control when it is determined thatthe flag for fallback travel is on in S24 or S29 described later, forexample.

S24 is executed when an abnormality has occurred in the mainmicrocomputer 11. The monitoring apparatus 13 continuously checkswhether the fallback control by the sub microcomputer 12 is normallyperformed by the processing of S24 to S28.

In S24, the monitoring apparatus 13 determines whether or not thefallback travel is enabled to be executed based on the flag set in S10and S13, for example. If the monitoring apparatus 13 determines in S24that the fallback travel is not enabled to be performed, the monitoringapparatus 13 proceeds to S34. On the other hand, if the monitoringapparatus 13 determines in S24 that the fallback travel is enabled to beexecuted, the monitoring apparatus 13 proceeds to S25.

In S25, the monitoring apparatus 13 simulates the driving forcecalculation for the fallback travel. Here, the fallback travel drivingforce is calculated using the vehicle specifications stored in S12. InS26, the monitoring apparatus 13 receives the driving force calculationresult for the fallback travel from the sub microcomputer 12.

In S27, the monitoring apparatus 13 determines whether or not an errorbetween the calculation result in S25 and the calculation resultreceived in S26 is within an allowable range. If the error is within theallowable range, it can be estimated that the calculation result of thesub microcomputer 12 is normal. This allowable range can be set to arange where the error can be estimated to be within a normal range. Notethat the error may be determined to be within the allowable range onlywhen no error has occurred.

If the monitoring apparatus 13 determines in S27 that the calculationerror is not within the allowable range, the monitoring apparatus 13proceeds to S34. On the other hand, if the monitoring apparatus 13determines in S27 that the calculation error is within the allowablerange, the monitoring apparatus 13 proceeds to S28.

In S28, the monitoring apparatus 13 determines whether or not theoccupant has performed a stop manipulation. If the monitoring apparatus13 determines in S28 that the occupant has not performed a stopmanipulation, the monitoring apparatus 13 returns to S25. On the otherhand, if the monitoring apparatus 13 determines in S28 that the occupanthas performed a stop manipulation, the process proceeds to S35.

S29 is executed when an abnormality has occurred in the submicrocomputer 12. The monitoring apparatus 13 continuously checkswhether the fallback control by the main microcomputer 11 is normallyperformed through the processing of S29 to S33.

In S29, the monitoring apparatus 13 determines whether or not thefallback travel is enabled to be executed based on the flag set in S10and S13, for example. If the monitoring apparatus 13 determines in S29that the fallback travel is not possible, the monitoring apparatus 13proceeds to S34. On the other hand, if the monitoring apparatus 13determines in S29 that the fallback travel is enabled to be performed,the monitoring apparatus 13 proceeds to S30.

In S30, the monitoring apparatus 13 simulates the driving forcecalculation for the fallback travel. Here, the fallback travel drivingforce is calculated using the vehicle specifications stored in S12. InS31, the monitoring apparatus 13 receives the driving force calculationresult for the fallback travel from the main microcomputer 11.

In S32, the monitoring apparatus 13 determines whether or not an errorbetween the calculation result in S30 and the calculation resultreceived in S31 is within an allowable range. If the error is within theallowable range, it can be estimated that the calculation result of themain microcomputer 11 is normal.

If the monitoring apparatus 13 determines in S32 that the calculationerror is not within the allowable range, the monitoring apparatus 13proceeds to S34. On the other hand, if the monitoring apparatus 13determines in S32 that the calculation error is within the allowablerange, the monitoring apparatus 13 proceeds to S33.

In S33, the monitoring apparatus 13 determines whether the occupant hasperformed a stop manipulation. If the monitoring apparatus 13 determinesin S33 that the occupant has not performed a stop manipulation, themonitoring apparatus 13 returns to S30. On the other hand, if themonitoring apparatus 13 determines in S30 that the occupant hasperformed a stop manipulation, the process proceeds to S35.

In S34, the monitoring apparatus 13 prohibits the output of the drivingforce. Here, for example, a flag for permitting the main microcomputer11 and the sub microcomputer 12 to perform fallback travel is turnedoff. If an abnormality is detected in either the main microcomputer 11or the sub microcomputer 12, the normal travel is not enabled to beperformed. Further, the fallback travel is prohibited. Thus output ofdriving force based on each of the normal control and the fallbackcontrol is prohibited.

In S35, after the vehicle is stopped, the monitoring apparatus 13notifies the occupant of the failure by outputting a signal to a controldevice that controls a display and a speaker (not shown). Here, forexample, it is notified that the vehicle is not enabled to travel due toa failure. After S35, the present process is ended.

S5 and S8 correspond to the processing as the specification receptionmodule 41. S9 corresponds to the processing as the determination module42. S10 and S13 correspond to processing as the setting module 43. S3and S6 correspond to the processing as the abnormality reception module44. S11 corresponds to the processing as the notification module 45. S25and S30 correspond to processing as the third calculation module 46.

1-3. Effects

According to the first embodiment detailed above, the following effectsmay be provided.

(1a) In the driving force control system 1 of the first embodiment, themonitoring apparatus 13 permits the fallback control only when thereceived vehicle specifications are appropriate. When the fallbackcontrol is executed due to an abnormality occurring in either the mainmicrocomputer 11 or the sub microcomputer 12, the monitoring apparatus13 can detect the abnormality of the calculation result, therebyimproving the safety of the vehicle.

(1b) The monitoring apparatus 13 does not need to store vehiclespecifications in advance. Therefore, an electronic control unit withhigh versatility can be used as the monitoring apparatus instead of anelectronic control unit manufactured according to the type of vehicle,Therefore, it is possible to reduce the manufacturing cost of themonitoring apparatus and improve the reliability by sharing parts.

(1c) The determination module 42 determines that the vehiclespecifications received by the specification reception module 41 areappropriate when the vehicle specifications received from the mainmicrocomputer 11 matches with that from the sub microcomputer 12.Therefore, the certainty of the vehicle specifications can be determinedmore accurately.

(1d) The main microcomputer 11 and the sub microcomputer 12 performmutual monitoring to determine whether an abnormality has occurred inthe other microcomputer. The main microcomputer 11 and the submicrocomputer 12 perform normal control if there is no abnormalityregardless of the determination result by the determination module 42.Therefore, even if it is a case where the monitoring apparatus 13 cannotmonitor the fallback travel, the vehicle is enabled to be activated, sothat it is possible to suppress a decrease in convenience for the user.

(1e) If the vehicle specifications received in the past at the time ofactivation is stored in the memory 13 a, the monitoring apparatus 13does not receive the vehicle specifications again, and determineswhether or not the vehicle specifications are appropriate. Therefore,the time until the vehicle is activated can be shortened. In the firstembodiment, the vehicle specifications stored in the memory 13 a havebeen determined to be appropriate. Therefore, it can be estimated thatthe vehicle specifications are appropriate without determining whetherthe vehicle specifications are appropriate.

2. Second Embodiment 2-1. Main Difference from First Embodiment

Since the basic configuration of a second embodiment is similar to thefirst embodiment, the main difference will be described below. Note thatthe same reference signs as those in the first embodiment indicate thesame configuration, and refer to the preceding descriptions.

In the first embodiment described above, the configuration in which theactivation of the vehicle is not permitted when it is determined thatthere is an abnormality in the main microcomputer 11 or the submicrocomputer 12, respectively, in S4 or S7 of FIG. 2. On the otherhand, in the second embodiment, even if there is an abnormality in onemicrocomputer, the activation of the vehicle is permitted, and themonitoring apparatus 13 obtains the vehicle specifications from themicrocomputer without abnormality and performs the simulationcalculation of the fallback travel. This is different from the firstembodiment.

2-2. Process

The monitoring apparatus 13 executes a control setting process accordingto the second embodiment, instead of the control setting processaccording to the first embodiment; the control setting process will bedescribed with reference to the flowcharts of FIGS. 3 to 6, In FIG. 4,the process with the same step number as in FIG. 2 is the same as theprocess in FIG. 2. Some explanations are simplified. In addition, theprocess according to FIG. 3 is not substantially changed in processingcontent as compared with the first embodiment.

In FIG. 4, after the monitoring apparatus 13 receives the abnormalitydiagnosis result of the main microcomputer 11 in S3, the processproceeds to S41. In S41, the monitoring apparatus 13 determines whetheror not an abnormality has occurred in the main microcomputer 11. If themonitoring apparatus 13 determines in S41 that an abnormality hasoccurred in the main microcomputer 11 in S41, the monitoring apparatus13 proceeds to S51 in FIG. 5. On the other hand, if the monitoringapparatus 13 determines in S41 that no abnormality has occurred in themain microcomputer 11, the monitoring apparatus 13 proceeds to S5.

Further, after the monitoring apparatus 13 receives the abnormalitydiagnosis result of the sub microcomputer 12 in S6, the process proceedsto S42. In S42, the monitoring apparatus 13 determines whether or notthere is an abnormality in the sub microcomputer 12. If the monitoringapparatus 13 determines in S42 that an abnormality has occurred in thesub microcomputer 12, the monitoring apparatus 13 proceeds to S61 inFIG. 6. On the other hand, if the monitoring apparatus 13 determines inS42 that no abnormality has occurred in the sub microcomputer 12, themonitoring apparatus 13 proceeds to S8.

Next, a process when it is determined in S41 that an abnormality hasoccurred in the main microcomputer 11 will be described with referenceto FIG. 5. In S51, the monitoring apparatus 13 receives the abnormalitydiagnosis result of the sub microcomputer 12 from the second diagnosismodule 33.

In S52, the monitoring apparatus 13 determines whether or not anabnormality has occurred in the sub microcomputer 12. If the monitoringapparatus 13 determines in S52 that an abnormality has occurred in thesub microcomputer 12, the monitoring apparatus 13 ends this controlsetting process without permitting the vehicle to be activated.

On the other hand, if the monitoring apparatus 13 determines in S52 thatno abnormality has occurred in the sub microcomputer 12, the monitoringapparatus 13 proceeds to S53 and receives vehicle specifications fromthe sub microcomputer 12. In S54, the monitoring apparatus 13 stores thevehicle specifications received in S53 in the memory 13 a of themonitoring apparatus 13.

In S55, the monitoring apparatus 13 enables the fallback travel. Here,for example, a flag for permitting the fallback travel is turned on. InS56, the monitoring apparatus 13 notifies the occupant of the failure byoutputting a signal to a control device that controls a display and aspeaker (not shown).

In S57, the monitoring apparatus 13 permits vehicle activation. Here,for example, a flag for permitting vehicle activation is turned on andthe vehicle is activated. Thereafter, the process proceeds to S25 ofFIG. 3.

Next, a process when it is determined in S46 that an abnormality hasoccurred in the sub microcomputer 12 will be described with reference toFIG. 6. In S61, the monitoring apparatus 13 stores the vehiclespecifications received from the main microcomputer 11 in S5 in thememory 13 a of the monitoring apparatus 13.

In S62, the monitoring apparatus 13 enables the fallback traveling.Here, for example, a flag for permitting fallback travel is turned on.In S63, the monitoring apparatus 13 notifies the occupant of the failureby outputting a signal to a control device that controls a display and aspeaker (not shown).

In S64, the monitoring apparatus 13 permits the vehicle activation.Here, for example, a flag for permitting vehicle activation is turned onand the vehicle is activated. Thereafter, the process proceeds to S30 ofFIG. 3.

2-3. Effects

According to the second embodiment described in detail above, theeffects (1a) to (1e) of the first embodiment described above areachieved, and the following effects are further achieved.

(2a) In the driving force control system 1 of the second embodiment, themonitoring apparatus 13 receives the abnormality diagnosis result of themain microcomputer 11 before receiving the vehicle specifications fromthe main microcomputer 11, and receives the abnormality diagnosis resultof the sub microcomputer 12 before receiving the vehicle specificationsfrom the sub microcomputer 12. When the monitoring apparatus 13determines that one of the microcomputers is abnormal, the monitoringapparatus 13 receives the vehicle specifications from the microcomputerthat is not abnormal and monitors the fallback travel. For this reason,even when it is determined that one of the microcomputers is abnormalbefore the vehicle is activated, the driving force control system 1 isenabled to perform the fallback travel and the convenience for the useris improved.

3. Other Embodiments

While the embodiments of the present disclosure have been described, thepresent disclosure is not limited to the embodiments described above andcan be modified in various manners.

(3a) In the first and second embodiments, the configuration includingthe two microcomputers of the main microcomputer 11 and the submicrocomputer 12 is illustrated as an example of the electronic controlapparatus, but the present disclosure is not limited to this. Forexample, as shown in the driving force control system 101 shown in FIG.7, a configuration including the main microcomputer 102 and themonitoring apparatus 103 without including the sub microcomputer may beemployed. In this configuration, since the monitoring apparatus 103cannot compare the vehicle specifications received from the twomicrocomputers, it determines whether or not the vehicle specificationsare appropriate by another method. For example, the monitoring apparatus103 can employ (i) a determination method using a checksum, (li) adetermination method for determining that the vehicle specifications areappropriate when a predetermined password is transmitted from themicrocomputer separately from the vehicle specifications and thepassword matches, or (lii) a determination method for determiningwhether or not the vehicle specifications are within a predeterminedrange, and determining that the vehicle specifications are appropriateif the vehicle specifications are within the range.

In the driving force control system 101 of FIG. 7, normal control by themain microcomputer 11 is performed until an abnormality is detected bythe first diagnosis module 24. After the abnormality is detected, thefallback control by the main microcomputer 11 may be performed. Further;the fallback control may be executed only when the determination module42 of the monitoring apparatus 13 determines that the vehiclespecifications received from the main microcomputer 11 are appropriate.

(3b) In the first and second embodiments, the configuration in which themonitoring apparatus 13 includes the notification module 45 isillustrated, but the notification module may be provided in anelectronic control unit other than the monitoring apparatus 13.

(3c) In the first and second embodiments, the configuration in which themain microcomputer 11, the sub microcomputer 12, and the monitoringapparatus 13 are housed in one housing 2 is exemplified. However, theelectronic control units may be divided into two or more housings. Forexample, some electronic control units may be configured as part ofother electronic control unit.

(3d) In the first and second embodiments, the main microcomputer 11 andthe sub microcomputer 12 have exemplified the configuration capable ofexecuting normal control and fallback control, but other controls andthree or more different controls of the driving force may be configuredto be executable. Further, the monitoring apparatus 13 may be configuredto be able to perform a driving force simulation calculation for acontrol other than the fallback control and to be compared with adriving force calculation result by a microcomputer.

The monitoring apparatus 13 may be configured to set whether or not thecontrol by the electronic control apparatus is set according to whetheror not the vehicle specifications are appropriate for the control otherthan the fallback control. For example, when it is determined that thevehicle specifications are not appropriate, the monitoring apparatus 13may be configured not to permit the vehicle to be activated.Specifically, if the vehicle specifications do not match in S9 in FIG.2, the control setting process may be ended without permitting thevehicle to be activated.

(3e) A monitoring apparatus described above may be provided to includeone or more controllers or processors, which may be also provided as oneor more special purpose computers. The controllers may be achieved byincluding a plurality of modules, which may be also referred to assteps, sections, or units, to provide the respective functions. Notethat such a module included in the controller or the controller itselfmay be configured by (i) a central processing unit (CPU) along withmemory storing instructions (i.e., computer program) executed by theCPU, or (ii) hardware circuitry such as an integrated circuit orhard-wired logic circuit with no CPU, or (iii) both the CPU along withmemory and the hardware circuitry. The computer programs or instructionsmay be stored in a non-transitory tangible computer-readable storagemedium to be executed by the CPU.

(3f) Multiple functions of one element in the described above embodimentmay be implemented by multiple elements, or one function of one elementmay be implemented by multiple elements. Further, multiple functions ofmultiple elements may be implemented by one element, or one functionimplemented by multiple elements may be implemented by one element. Apart of the configuration of the above embodiments may be omitted. Atleast a part of the configuration of the above embodiments may be addedto or replaced with another configuration of the above embodiments.

(3g) The present disclosure may be realized in a plurality of forms, inaddition to the monitoring apparatus described above; the other formsmay include a system including the monitoring apparatus as an element, aprogram for causing a computer to function as the monitoring apparatus,a non-transitory tangible storage medium such as a semiconductor memorystoring the program, and a monitoring method.

For reference to further explain features of the present disclosure, thedescription is added as follows.

A system is known in which a plurality of electronic control unitscommunicate with each other. For example, a technique is proposed whichtransmits and receives data necessary for execution of processing by theelectronic control units during operation of the system.

There is a driving force monitoring system that includes a plurality ofelectronic control units to control the driving force of a vehicle. Insuch a driving force monitoring system, if the data transmitted andreceived is inappropriate, a safety of an occupant of the vehicle maynot be secured sufficiently.

It is thus desired to provide a technique capable of proving the safetyof a vehicle.

Aspects of the present disclosure described herein are set forth in thefollowing clauses.

According to a first aspect of the present disclosure, a monitoringapparatus used in a vehicle is provided to communicate with anelectronic control apparatus that controls a driving force of thevehicle by executing any one of a plurality of predetermined differentcontrols. The monitoring apparatus includes a specification receptionmodule, a determination module, and a setting module. The specificationreception module is configured to receive a vehicle specification fromthe electronic control apparatus. The determination module is configuredto determine whether the vehicle specification received by thespecification reception module is appropriate. The setting module isconfigured to set whether at least one of the predetermined differentcontrols is permitted or not permitted to be executed by the electroniccontrol apparatus in response to a determination result by thedetermination module.

In the above, the specification reception module, the determinationmodule, and the setting module may be provided to be included in one ormore controllers communicating with the electronic control apparatus.

According to such a configuration, the monitoring apparatus can causethe electronic control apparatus to execute different driving forcecontrols depending on whether or not the received vehicle specificationis appropriate. Therefore, for example, when the vehicle specificationreceived by the monitoring apparatus is not appropriate, only thedriving force control with high safety can be permitted to be executedby the electronic control apparatus. The safety of the vehicle can bethus improved.

According to another aspect of the present disclosure, a driving forcecontrol system mounted to a vehicle is provided to include an electroniccontrol apparatus configured to control a driving force of the vehicleby executing any one of a plurality of predetermined different controlsand a monitoring apparatus configured to communicate with the electroniccontrol apparatus. The monitoring apparatus includes a specificationreception module, a determination module, and a setting module. Thespecification reception module is configured to receive a vehiclespecification from the electronic control apparatus. The determinationmodule is configured to determine whether the vehicle specificationreceived by the specification reception module is appropriate. Thesetting module is configured to set whether at least one of thepredetermined different controls is permitted or not permitted to beexecuted by the electronic control apparatus in response to adetermination result by the determination module. In the above, thespecification reception module, the determination module, and thesetting module may be provide to be included in one or more controllerscommunicating with the electronic control apparatus.

According to such a configuration, the monitoring apparatus can causethe electronic control apparatus to execute different driving forcecontrols depending on whether or not the received vehicle specificationis appropriate. Therefore, for example, when the vehicle specificationreceived by the monitoring apparatus is not appropriate, only thedriving force control with high safety can be permitted to be executedby the electronic control apparatus. The safety of the vehicle can bethus improved.

What is claimed is:
 1. A monitoring apparatus used in a vehicle tocommunicate with an electronic control apparatus that controls a drivingforce of the vehicle by executing any one of a plurality ofpredetermined different controls, the monitoring apparatus comprising: aspecification reception module configured to receive a vehiclespecification from the electronic control apparatus; a determinationmodule configured to determine whether the vehicle specificationreceived by the specification reception module is appropriate; and asetting module configured to set whether at least one of thepredetermined different controls is permitted or not permitted to beexecuted by the electronic control apparatus in response to adetermination result by the determination module.
 2. The monitoringapparatus according to claim 1, wherein: the electronic controlapparatus includes a first electronic control unit and a secondelectronic control unit; the specification reception module isconfigured to receive the vehicle specification from the firstelectronic control unit and the second electronic control unit; and thedetermination module is configured to determine that the vehiclespecification received by the specification reception module isappropriate in response to that the vehicle specification received fromthe first electronic control unit match the vehicle specificationreceived from the second electronic control unit.
 3. The monitoringapparatus according to claim 2, wherein: each of the first electroniccontrol unit and the second electronic control unit is configured to becapable of executing each of (i) a normal control and (ii) a fallbackcontrol whose function is limited as compared to the normal control, asthe plurality of predetermined different controls; a one of the firstelectronic control unit and the second electronic control unit monitorswhether or not an abnormality occurs in a different one of the firstelectronic control unit and the second electronic control unit; inresponse to that no abnormality occurs in any of the first electroniccontrol unit and the second electronic control unit, the normal controlis executed; in response to that an abnormality occurs in either thefirst electronic control unit or the second electronic control unit, thefallback control is executed; and the setting module is configured toset the fallback control as being not permitted to be executed inresponse to that the determination module determines that the vehiclespecification received by the specification reception module is notappropriate.
 4. The monitoring apparatus according to claim 2, wherein:each of the first electronic control unit and the second electroniccontrol unit is configured to be capable of executing (i) a normalcontrol and (ii) a fallback control whose function is limited ascompared to the normal control, as the predetermined different controls;the first electronic control unit is configured to be able to execute anabnormality diagnosis of the first electronic control unit, and thesecond electronic control unit is configured to be able to execute anabnormality diagnosis of the second electronic control unit; themonitoring apparatus further comprises an abnormality reception moduleconfigured to receive a result of the abnormality diagnosis from thefirst electronic control unit and the second electronic control unit;and in response to that the abnormality reception module receives aresult of the abnormality diagnosis indicating that an abnormalityoccurs in a one of the first electronic control unit and the secondelectronic control unit, the setting module is configured to set thefallback control as being permitted to be executed by a different one ofthe first electronic control unit and the second electronic controlunit.
 5. The monitoring apparatus according to claim 3, furthercomprising: a notification module configured to perform an output tonotify an occupant of the vehicle of an abnormality, wherein thenotification module is configured to perform the output in response tothat the determination module determines that the vehicle specificationreceived by the specification reception module is not appropriate. 6.The monitoring apparatus according to claim 1, wherein: the settingmodule is configured to prevent the specification reception module fromreceiving the vehicle specification in response to that the vehiclespecification of the electronic control apparatus is stored in themonitoring apparatus when the monitoring apparatus is activated.
 7. Themonitoring apparatus according to claim 1, further comprising: acalculation module configured to calculate the driving force of thevehicle to provide a calculation result by using a predeterminedcalculation based on the vehicle specification received by thespecification reception module, wherein in response to that an errorbetween (i) the calculation result provided by the calculation moduleand (ii) a calculation result by the electronic control apparatus byusing the predetermined calculation is within a predetermined range, thesetting module is configured to set a specified control using thepredetermined calculation, from the predetermined different controls, asbeing permitted to be executed by the electronic control apparatus.
 8. Adriving force control system mounted to a vehicle, comprising: anelectronic control apparatus configured to control a driving force ofthe vehicle by executing any one of a plurality of predetermineddifferent controls; and a monitoring apparatus configured to communicatewith the electronic control apparatus, the monitoring apparatuscomprising: a specification reception module configured to receive avehicle specification from the electronic control apparatus; adetermination module configured to determine whether the vehiclespecification received by the specification reception module isappropriate; and a setting module configured to set whether at least oneof the predetermined different controls is permitted or not permitted tobe executed by the electronic control apparatus in response to adetermination result by the determination module.
 9. A monitoringapparatus used in a vehicle, comprising: a controller connected via acommunication link with an electronic control apparatus that controls adriving force of the vehicle by executing any one of a plurality ofpredetermined different controls, the controller being configured to:receive a vehicle specification from the electronic control apparatus;determine whether the received vehicle specification is appropriate toprovide a determination result; and set whether at least one of thepredetermined different controls is permitted or not permitted to beexecuted by the electronic control apparatus in response to thedetermination result.